Security

Security Scanning Policy¶

As a proactive measure to ensure the integrity and security of our software, we have implemented a robust policy around package and application security scanning. This document outlines our standard procedures and Service Level Agreements (SLAs) for addressing various levels of security vulnerabilities.

Routine Scans with AWS Inspector¶

To maintain the highest standards of security, we conduct thorough scans using AWS Inspector on every software release. This process helps us identify and address potential vulnerabilities before they impact our users. AWS Inspector classifies the severity of findings based on a numerical score, which ranges from Informational (score of 0) to Critical (scores from 9.0 to 10.0). These scores are derived from the NVD/CVSS system, taking into account various security metrics. This classification system guides our response strategies and prioritization of fixes. For more details, you can refer to the AWS Inspector documentation on Severity Levels for Amazon Inspector Findings.

Response to Critical Severity Vulnerabilities¶

We understand the severity of CRITICAL vulnerabilities, so we don't expect any CRITICAL vulnerability detected at the time of release. However, should any CRITICAL vulnerabilities emerge post-release, they are addressed in the subsequent release, provided it is technically feasible

Response to High Severity Vulnerabilities¶

For vulnerabilities classified as 'High', we adopt a best-effort approach to implement fixes in the next scheduled release. Our release cycle typically spans one month, allowing us to systematically address these vulnerabilities while ensuring continuous improvement in our software's security.

Policy for Medium and Low Vulnerabilities in Self-Hosted Comet¶

Recognizing the environment of self-hosted Comet, which usually operates in a closed network with no internet exposure, we have a different approach for Medium and Low vulnerabilities. Given the reduced risk profile, we do not have a specific SLA for fixing these categories of vulnerabilities. However, we continuously monitor and assess these vulnerabilities to ensure they do not escalate or pose a significant threat.

Inclusion of Scanning Reports in Changelogs¶

To maintain transparency and keep our users informed, we include a detailed scanning report in the changelog of every release. This report outlines the vulnerabilities identified and the actions taken to address them, providing our users with a clear understanding of the security measures in place.

Addressing Post-Release Vulnerabilities¶

It's important to acknowledge that security vulnerabilities can emerge just after a release. This is a reality of the ever-evolving landscape of software security. Despite our rigorous scanning and mitigation efforts, vulnerabilities may appear post-release. Our team remains vigilant and prepared to respond swiftly to any such occurrences. We continually monitor our software for new vulnerabilities and take immediate action to address them, ensuring the ongoing security and reliability of our products.